Disabling Security Timestamps

I’m using the WSHttp binding for message security with a non-WCF system. The other system doesn’t have a complete security implementation, and in particular it doesn’t know how to process message timestamps. How can I disable verification of the security timestamps in messages without turning off security?

Timely delivery of data is always a concern in messaging systems. Security has a special interest in delivery times because short, expiring time windows are often very effective at limiting the attack surface of a message exchange. It is possible to disable the generation and checking of these timestamps, although you should be aware that doing so does leave your system a little less secure.

Since I knew there was a setting for timestamp generation somewhere, I very quickly looked through the WSHttp binding to see if I could find it. When I couldn’t find it on the binding, I simply went back to the binding elements and found it there on the security binding element. That means we can use our standard method for deriving a custom binding from one of the standard bindings.

WSHttpBinding oldBinding = new WSHttpBinding();
BindingElementCollection elements = oldBinding.CreateBindingElements();
elements.Find<SecurityBindingElement>().IncludeTimestamp = false;
CustomBinding newBinding = new CustomBinding(elements);

Next time: Using XML Serialization with WCF

Comments (2)

  1. I don’t know how many people use the code I post, but I frequently stumble across peculiar or interesting

  2. James Zhou says:

    Brent Sheets 整理了一系列关于 WCF security的资源并做了分类